Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to solve Password Management - Password in configuration

Tags:

password-encryption

fortify

Hi I am using HP fortify to find all vulnerabilities of my App, and now i am trying to solve one that seems basic but I am not able to do it.

The problem is about password in configuration. I have an web application and inside of it in a properties file something like this.

somePassword=passwordPlainText

I agree this is wrong, then i try to obfuscate with several methods using http://www.jasypt.org/encrypting-configuration.html, OBS, CRYPT and ENC types. But I always get the same warning from fortify when i scan my code. Am I doing something wrong?

Thanks

like image 555
cralfaro Avatar asked Mar 31 '16 09:03

cralfaro

People also ask

What is password management in network security?

Password management is a set of principles and best practices to be followed by users while storing and managing passwords in an efficient manner to secure passwords as much as they can to prevent unauthorized access.

What is hardcoded password?

Hardcoded Passwords, also often referred to as Embedded Credentials, are plain text passwords or other secrets in source code. Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords and other secrets (SSH Keys, DevOps secrets, etc.)

1 Answers

You may find the following answer helpful. I'm assuming this might be a database password, but the same concepts apply to accessing other types of accounts.

https://security.stackexchange.com/questions/22817/how-to-encrypt-database-connection-credentials-on-a-web-server

Basic principle is that you want to avoid accidental leak of the credentials, and so put them in a place outside of code (where all developers will see it) and in a configuration file that is outside of the main code root and is carefully access controlled. Ideally, you can avoid passwords altogether by properly configuring database access according to user permissions.

Note: Fortify finds the password issue by basically grepping for "password" (and some variants). So other times this is false positive, if you just have a variable named "password" or a comment that mentions "password," but are not hard coding a password into the file.

like image 119
quantro Avatar answered Jan 04 '23 05:01

quantro
Sign in to Comment

Related questions

Correctly using crypt() with SHA512 in PHP
Generate settings-security.xml file for maven password encryption
What makes openssl_random_pseudo_bytes "cryptographically secure"?
Storing and validating encrypted password for login in Pyramid
PHP password_verify() vs Python bcrypt.hashpw()
Store a key or password securely locally on android
Password max length with bcrypt, blowfish
Changing master password that is used for encryption
Java AES encryption and decryption with static secret
PHP password_hash(), default or custom salt? [duplicate]
Safe way to store decryptable passwords
Which implementation of bcrypt is recommended for PHP 5.3?
How to make Ubuntu's crypt(3) support Blowfish?
How does mvn --encrypt-master-password <password> work?
How do I properly use the "PBEWithHmacSHA512AndAES_256" algorithm?
How to Encrypt String With Public Key and Decrypt with Private key ?
Why is password hashing, e.g. php's password_hash so slow?
Best practice of Hashing passwords
Password encoding and decoding using Spring Security, Spring Boot and MongoDB

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!